Bug 211466 - Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands: indent and insert list.
Summary: Nullptr crash in indentOutdentCommand::formatRange with asynchronous commands...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-05-05 13:14 PDT by Jack
Modified: 2020-05-07 15:47 PDT (History)
7 users (show)

See Also:


Attachments
Patch (4.18 KB, patch)
2020-05-05 13:43 PDT, Jack
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jack 2020-05-05 13:14:47 PDT
<rdar://62845430>

0   com.apple.WebCore             	0x000000010eb688d5 WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> >&) + 2421
1   com.apple.WebCore             	0x000000010eafbd3f WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&) + 4639
2   com.apple.WebCore             	0x000000010eafa188 WebCore::ApplyBlockElementCommand::doApply() + 1256
3   com.apple.WebCore             	0x000000010d881fcd WebCore::CompositeEditCommand::apply() + 397
4   com.apple.WebCore             	0x000000010eb6c3c5 WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 229
5   com.apple.WebCore             	0x000000010d8e97b1 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 81
Comment 1 Jack 2020-05-05 13:15:12 PDT
Root cause: Load event fires in the middle of processing first command, causing a node in use to be removed as shown in call stack below.

Test case is 
1. We are processing indent (frame #98) command and calls CompositeEditCommand::splitTreeToNode to prepare for indenting.
2. The position to be splitted is at #text “b”.
3. In splitTreeToNode, load event is fired and triggers execution of insertUnorderedList (frame #20), with selection being #text “b” as well.
4. InsertUnorderedList makes a copy of #text “b” and insert to the UL element and remove the original #text “b”.
5. SplitTreeToNode returns the parent of the original #text “b” and gets assigned to variable “outerBlock”, which is null at this point.
6. Later in function indentIntoBlockquote we try to insert Quote element in outerBlock, the code needs to deref outerBlock and crashes.

<script>
function run() {
    var iframe = document.createElement('iframe');
    iframe.setAttribute("onload", “iframeLoad()”);
    select.appendChild(iframe);
    document.execCommand("indent", false);
}
function iframeLoad() {
    document.execCommand("insertUnorderedList", false);
    window.getSelection().collapse(select);
}
</script>
<body onload=run() contentEditable=true><details id=details open="true"><div>a</div><form hidden="hidden"><select id=select></select></form>b</details>

Node tree before insertUnorderedList executes:
BODY	0x60c00006c100 (renderer 0x612000058e40) 
	DETAILS	0x60e00004bfa0 (renderer 0x612000058fc0) 
		#document-fragment	0x612000055cc0 (renderer 0x0)  (needs style recalc) (child needs style recalc)
			SLOT	0x60d0000593d0 (renderer 0x0) 
				SUMMARY	0x60c00006c280 (renderer 0x612000059140) 
					#document-fragment	0x612000055e40 (renderer 0x0)  (needs style recalc) (child needs style recalc)
						DIV	0x60c00006c340 (renderer 0x6120000592c0) 
						SLOT	0x60d0000594a0 (renderer 0x0) 
					#text	0x6080000461a0 "Details"
			SLOT	0x60d0000597e0 (renderer 0x0) 
		DIV	0x60c00006c640 (renderer 0x612000059440) 
			#text	0x608000046220 "a"
		FORM	0x612000055fc0 (renderer 0x0) 
			SELECT	0x61300005cfc0 (renderer 0x0) 
				IFRAME	0x6130000670c0 (renderer 0x0) 
*		#text	0x6080000462a0 "b"
	#text	0x608000046320 "\n"


Call stack when #text “b” is removed:
  * frame #0: 0x00000003b1eabeef WebCore`WebCore::Node::setParentNode(this=0x00006080000462a0, parent=0x0000000000000000) at Node.h:739:18
    frame #1: 0x00000003b1eafdf6 WebCore`WebCore::ContainerNode::removeBetween(this=0x000060e00004bfa0, previousChild=0x000060c00002a580, nextChild=0x0000000000000000, oldChild=0x00006080000462a0) at ContainerNode.cpp:615:14
    frame #2: 0x00000003b1eaf29a WebCore`WebCore::ContainerNode::removeNodeWithScriptAssertion(this=0x000060e00004bfa0, childToRemove=0x00006080000462a0, source=API) at ContainerNode.cpp:166:9
    frame #3: 0x00000003b1eae0a9 WebCore`WebCore::ContainerNode::removeChild(this=0x000060e00004bfa0, oldChild=0x00006080000462a0) at ContainerNode.cpp:577:10
    frame #4: 0x00000003b22de6a3 WebCore`WebCore::Node::remove(this=0x00006080000462a0) at Node.cpp:628:20
    frame #5: 0x00000003b26ddafc WebCore`WebCore::RemoveNodeCommand::doApply(this=0x0000611000036dc0) at RemoveNodeCommand.cpp:54:13
    frame #6: 0x00000003b259246d WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000615000091080, command=0x00007ffee4308060) at CompositeEditCommand.cpp:463:14
    frame #7: 0x00000003b258e054 WebCore`WebCore::CompositeEditCommand::removeNode(this=0x0000615000091080, node=0x00006080000462a0, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:599:5
    frame #8: 0x00000003b25d06c4 WebCore`WebCore::DeleteSelectionCommand::removeNodeUpdatingStates(this=0x0000615000091080, node=0x00006080000462a0, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at DeleteSelectionCommand.cpp:419:27
    frame #9: 0x00000003b25d12f7 WebCore`WebCore::DeleteSelectionCommand::removeNode(this=0x0000615000091080, node=0x00006080000462a0, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at DeleteSelectionCommand.cpp:479:5
    frame #10: 0x00000003b25d22a6 WebCore`WebCore::DeleteSelectionCommand::handleGeneralDelete(this=0x0000615000091080) at DeleteSelectionCommand.cpp:574:13
    frame #11: 0x00000003b25d75d0 WebCore`WebCore::DeleteSelectionCommand::doApply(this=0x0000615000091080) at DeleteSelectionCommand.cpp:934:5
    frame #12: 0x00000003b259246d WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000611000035380, command=0x00007ffee4308f20) at CompositeEditCommand.cpp:463:14
    frame #13: 0x00000003b258b841 WebCore`WebCore::CompositeEditCommand::deleteSelection(this=0x0000611000035380, smartDelete=false, mergeBlocksAfterDelete=false, replace=false, expandForSpecialElements=false, sanitizeMarkup=true) at CompositeEditCommand.cpp:829:9
    frame #14: 0x00000003b259cda8 WebCore`WebCore::CompositeEditCommand::moveParagraphs(this=0x0000611000035380, startOfParagraphToMove=0x00007ffee430a280, endOfParagraphToMove=0x00007ffee430a2c0, destination=0x00007ffee430a820, preserveSelection=true, preserveStyle=true) at CompositeEditCommand.cpp:1475:5
    frame #15: 0x00000003b25a00a8 WebCore`WebCore::CompositeEditCommand::moveParagraph(this=0x0000611000035380, startOfParagraphToMove=0x00007ffee430a280, endOfParagraphToMove=0x00007ffee430a2c0, destination=0x00007ffee430a820, preserveSelection=true, preserveStyle=true) at CompositeEditCommand.cpp:1396:5
    frame #16: 0x00000003b26c59a6 WebCore`WebCore::InsertListCommand::listifyParagraph(this=0x0000611000035380, originalStart=0x00007ffee430b170, listTag=0x00000003bd3240e8) at InsertListCommand.cpp:414:5
    frame #17: 0x00000003b26c3548 WebCore`WebCore::InsertListCommand::doApplyForSingleParagraph(this=0x0000611000035380, forceCreateList=false, listTag=0x00000003bd3240e8, currentSelection=0x00006060000c7400) at InsertListCommand.cpp:270:25
    frame #18: 0x00000003b26c230f WebCore`WebCore::InsertListCommand::doApply(this=0x0000611000035380) at InsertListCommand.cpp:195:5
    frame #19: 0x00000003b256c6db WebCore`WebCore::CompositeEditCommand::apply(this=0x0000611000035380) at CompositeEditCommand.cpp:372:9
    frame #20: 0x00000003b2697dd8 WebCore`WebCore::executeInsertUnorderedList(frame={ origin = file://, url = file:///Users/jacklee/browser2/min-62845430.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:543:91
    frame #21: 0x00000003b2629830 WebCore`WebCore::Editor::Command::execute(this=0x00007ffee430c0f0, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
    frame #22: 0x00000003b1fae127 WebCore`WebCore::Document::execCommand(this={ origin = file://, url = file:///Users/jacklee/browser2/min-62845430.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, commandName={ length = 19, contents = 'insertUnorderedList' }, userInterface=false, value={ length = 0, contents = '' }) at Document.cpp:5551:54
    frame #23: 0x00000003acdd3612 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommandBody(lexicalGlobalObject=0x000061f0000436e8, callFrame=0x00007ffee430c870, castedThis=0x000060d00000da68, throwScope=0x00007ffee430c6a0) at JSDocument.cpp:6271:57
    frame #24: 0x00000003acaafbde WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(lexicalGlobalObject=0x000061f0000436e8, callFrame=0x00007ffee430c870, operationName="execCommand")), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:53:16
    frame #25: 0x00000003acaaf734 WebCore`WebCore::jsDocumentPrototypeFunctionExecCommand(lexicalGlobalObject=0x000061f0000436e8, callFrame=0x00007ffee430c870) at JSDocument.cpp:6277:12
    frame #26: 0x000028d196001178
    frame #27: 0x00000003dca7e22b JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #28: 0x00000003dca7e22b JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1045
    frame #29: 0x00000003dca5ebf2 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296
    frame #30: 0x00000003def73130 JavaScriptCore`JSC::JITCode::execute(this=0x00006040000f2f90, vm=0x000062f00001c400, protoCallFrame=0x00007ffee430ce80) at JITCodeInlines.h:38:38
    frame #31: 0x00000003def744a7 JavaScriptCore`JSC::Interpreter::executeCall(this=0x00006020000157d0, lexicalGlobalObject=0x000061f0000436e8, function=0x000062d000181280, callData=0x00007ffee430ddc0, thisValue=JSValue @ 0x00007ffee430cca0, args=0x00007ffee430e100) at Interpreter.cpp:921:31
    frame #32: 0x00000003df90dd70 JavaScriptCore`JSC::call(globalObject=0x000061f0000436e8, functionObject=JSValue @ 0x00007ffee430d2e0, callData=0x00007ffee430ddc0, thisValue=JSValue @ 0x00007ffee430d300, args=0x00007ffee430e100) at CallData.cpp:58:28
    frame #33: 0x00000003df90e282 JavaScriptCore`JSC::call(globalObject=0x000061f0000436e8, functionObject=JSValue @ 0x00007ffee430d4e0, callData=0x00007ffee430ddc0, thisValue=JSValue @ 0x00007ffee430d500, args=0x00007ffee430e100, returnedException=0x00007ffee430e080) at CallData.cpp:65:22
    frame #34: 0x00000003df90ef2a JavaScriptCore`JSC::profiledCall(globalObject=0x000061f0000436e8, reason=Other, functionObject=JSValue @ 0x00007ffee430d7e0, callData=0x00007ffee430ddc0, thisValue=JSValue @ 0x00007ffee430d800, args=0x00007ffee430e100, returnedException=0x00007ffee430e080) at CallData.cpp:86:12
    frame #35: 0x00000003b1298e8e WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x000061f0000436e8, reason=Other, functionObject=JSValue @ 0x00007ffee430da60, callData=0x00007ffee430ddc0, thisValue=JSValue @ 0x00007ffee430da80, args=0x00007ffee430e100, returnedException=0x00007ffee430e080) at JSExecState.h:73:16
    frame #36: 0x00000003b12e816e WebCore`WebCore::JSEventListener::handleEvent(this=0x000060b000056150, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/min-62845430.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x0000607000043070) at JSEventListener.cpp:179:22
    frame #37: 0x00000003b21f348b WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x00006130000670c0, event=0x0000607000043070, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:335:40
    frame #38: 0x00000003b21e9ae4 WebCore`WebCore::EventTarget::fireEventListeners(this=0x00006130000670c0, event=0x0000607000043070, phase=Bubbling) at EventTarget.cpp:267:9
    frame #39: 0x00000003b22f3626 WebCore`WebCore::Node::handleLocalEvents(this=0x00006130000670c0, event=0x0000607000043070, phase=Bubbling) at Node.cpp:2371:5
    frame #40: 0x00000003b21c03ff WebCore`WebCore::EventContext::handleLocalEvents(this=0x0000604000168e90, event=0x0000607000043070, phase=Bubbling) const at EventContext.cpp:55:17
    frame #41: 0x00000003b21c18ee WebCore`WebCore::dispatchEventInDOM(event=0x0000607000043070, path=0x00007ffee430ef20) at EventDispatcher.cpp:100:22
    frame #42: 0x00000003b21c112b WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x00006130000670c0, event=0x0000607000043070) at EventDispatcher.cpp:154:9
    frame #43: 0x00000003b22f367d WebCore`WebCore::Node::dispatchEvent(this=0x00006130000670c0, event=0x0000607000043070) at Node.cpp:2381:5
    frame #44: 0x00000003b3c88195 WebCore`WebCore::DOMWindow::dispatchLoadEvent(this=0x000061400004e840) at DOMWindow.cpp:2217:20
    frame #45: 0x00000003b1f86cfd WebCore`WebCore::Document::dispatchWindowLoadEvent(this={ origin = file://, url = about:blank, inMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:4806:18
    frame #46: 0x00000003b1f865e0 WebCore`WebCore::Document::implicitClose(this={ origin = file://, url = about:blank, inMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:3064:5
    frame #47: 0x00000003b390c2d0 WebCore`WebCore::FrameLoader::checkCallImplicitClose(this=0x000061400004e640) at FrameLoader.cpp:965:25
    frame #48: 0x00000003b390b3c6 WebCore`WebCore::FrameLoader::checkCompleted(this=0x000061400004e640) at FrameLoader.cpp:906:5
    frame #49: 0x00000003b390610f WebCore`WebCore::FrameLoader::finishedParsing(this=0x000061400004e640) at FrameLoader.cpp:816:5
    frame #50: 0x00000003b1fb3e9b WebCore`WebCore::Document::finishedParsing(this={ origin = file://, url = about:blank, inMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:5870:25
    frame #51: 0x00000003b2fb2848 WebCore`WebCore::HTMLConstructionSite::finishedParsing(this=0x0000612000065ee0) at HTMLConstructionSite.cpp:419:16
    frame #52: 0x00000003b304e970 WebCore`WebCore::HTMLTreeBuilder::finished(this=0x0000612000065ec0) at HTMLTreeBuilder.cpp:2843:12
    frame #53: 0x00000003b2fc0db2 WebCore`WebCore::HTMLDocumentParser::end(this=0x000062500026e900) at HTMLDocumentParser.cpp:449:20
    frame #54: 0x00000003b2fbcaf2 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(this=0x000062500026e900) at HTMLDocumentParser.cpp:458:5
    frame #55: 0x00000003b2fbc742 WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing(this=0x000062500026e900) at HTMLDocumentParser.cpp:153:5
    frame #56: 0x00000003b2fc0ed1 WebCore`WebCore::HTMLDocumentParser::attemptToEnd(this=0x000062500026e900) at HTMLDocumentParser.cpp:470:5
    frame #57: 0x00000003b2fc1009 WebCore`WebCore::HTMLDocumentParser::finish(this=0x000062500026e900) at HTMLDocumentParser.cpp:498:5
    frame #58: 0x00000003b382358d WebCore`WebCore::DocumentWriter::end(this=0x000061f000054110) at DocumentWriter.cpp:288:15
    frame #59: 0x00000003b382137f WebCore`WebCore::DocumentLoader::finishedLoading(this=0x000061f000054080) at DocumentLoader.cpp:452:14
    frame #60: 0x00000003b383abc8 WebCore`WebCore::DocumentLoader::maybeLoadEmpty(this=0x000061f000054080) at DocumentLoader.cpp:1799:5
    frame #61: 0x00000003b383b218 WebCore`WebCore::DocumentLoader::startLoadingMainResource(this=0x000061f000054080) at DocumentLoader.cpp:1813:9
    frame #62: 0x00000003b3973230 WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x00006030000c4068)::$_11::operator()() at FrameLoader.cpp:3509:38
    frame #63: 0x00000003b397236e WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call(this=0x00006030000c4060) at Function.h:52:39
    frame #64: 0x00000003ab522e55 WebCore`WTF::Function<void ()>::operator(this=0x00007ffee4311280)() const at Function.h:84:35
    frame #65: 0x00000003ab5f5c67 WebCore`WTF::CompletionHandler<void ()>::operator(this=0x00007ffee4311870)() at CompletionHandler.h:62:16
    frame #66: 0x00000003b3921383 WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x000061400004e640, request=0x00006120000655e0, formState=0x0000000000000000, navigationPolicyDecision=ContinueLoad, allowNavigationToInvalidURL=Yes) at FrameLoader.cpp:3513:9
    frame #67: 0x00000003b396dc34 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x0000604000112518, request=0x00006120000655e0, formState=0x00007ffee4312d70, navigationPolicyDecision=ContinueLoad)>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at FrameLoader.cpp:1651:9
    frame #68: 0x00000003b396d8c3 WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision>::call(this=0x0000604000112510, in=0x00006120000655e0, in=0x00007ffee4312d70, in=ContinueLoad) at Function.h:52:39
    frame #69: 0x00000003b39e8ce9 WebCore`WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00007ffee4311ff0, in=0x00006120000655e0, in=0x00007ffee4312d70, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) const at Function.h:84:35
    frame #70: 0x00000003b39cd759 WebCore`WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator(this=0x00006120000655d0, in=0x00006120000655e0, in=0x00007ffee4312d70, in=ContinueLoad)(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at CompletionHandler.h:62:16
    frame #71: 0x00000003b39f1475 WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x00006120000655c8, policyAction=Use, responseIdentifier=PolicyCheckIdentifier @ 0x00007ffee4312180)>&&, WebCore::PolicyDecisionMode)::$_7::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at PolicyChecker.cpp:237:20
    frame #72: 0x00000003b39ee509 WebCore`WTF::Detail::CallableWrapper<WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(this=0x00006120000655c0, in=Use, in=PolicyCheckIdentifier @ 0x00007ffee43133e0) at Function.h:52:39
    frame #73: 0x00000003b390104c WebCore`WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator(this=0x00007ffee4314900, in=Use, in=PolicyCheckIdentifier @ 0x00007ffee4313560)(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const at Function.h:84:35
    frame #74: 0x00000003b39cc572 WebCore`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(this=0x000060b000059010, request=0x00007ffee4315d80, redirectResponse=0x00007ffee4315e80, loader=0x000061f000054080, formState=0x00007ffee4317f10, function=0x00007ffee4315fc0, policyDecisionMode=Asynchronous)>&&, WebCore::PolicyDecisionMode) at PolicyChecker.cpp:245:9
    frame #75: 0x00000003b391f0f3 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000061400004e640, loader=0x000061f000054080, type=RedirectWithLockedBackForwardList, formState=0x00007ffee4317f10, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffee4317410)>&&) at FrameLoader.cpp:1650:21
    frame #76: 0x00000003b391ae87 WebCore`WebCore::FrameLoader::loadWithNavigationAction(this=0x000061400004e640, request=0x00007ffee4316bf0, action=0x00007ffee4316cf0, type=RedirectWithLockedBackForwardList, formState=0x00007ffee4317f10, allowNavigationToInvalidURL=Yes, completionHandler=0x00007ffee4317410)>&&) at FrameLoader.cpp:1517:5
    frame #77: 0x00000003b39121c3 WebCore`WebCore::FrameLoader::loadURL(this=0x000061400004e640, frameLoadRequest=0x00007ffee4317a50, referrer={ length = 0, contents = '' }, newLoadType=RedirectWithLockedBackForwardList, event=0x0000000000000000, formState=0x00007ffee4317f10, adClickAttribution=0x00007ffee4317f30, completionHandler=0x00007ffee4317fa0)>&&) at FrameLoader.cpp:1426:5
    frame #78: 0x00000003b390d8c3 WebCore`WebCore::FrameLoader::loadURLIntoChildFrame(this=0x0000614000007640, url={ about:blank }, referer={ length = 0, contents = '' }, childFrame={ origin = file://, url = about:blank, isMainFrame = 0, backForwardCacheState = NotInBackForwardCache }) at FrameLoader.cpp:1000:26
    frame #79: 0x00000003b3a1b896 WebCore`WebCore::FrameLoader::SubframeLoader::loadSubframe(this=0x0000602000016fb0, ownerElement=0x00006130000670c0, url={ about:blank }, name={ length = 0, contents = '' }, referrer={ length = 48, contents = 'file:///Users/jacklee/browser2/min-62845430.html' }) at SubframeLoader.cpp:347:22
    frame #80: 0x00000003b3a17f5a WebCore`WebCore::FrameLoader::SubframeLoader::loadOrRedirectSubframe(this=0x0000602000016fb0, ownerElement=0x00006130000670c0, requestURL={ about:blank }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:309:17
    frame #81: 0x00000003b3a17480 WebCore`WebCore::FrameLoader::SubframeLoader::requestFrame(this=0x0000602000016fb0, ownerElement=0x00006130000670c0, urlString={ length = 11, contents = 'about:blank' }, frameName={ length = 0, contents = '' }, lockHistory=Yes, lockBackForwardList=Yes) at SubframeLoader.cpp:98:20
    frame #82: 0x00000003b2a2897d WebCore`WebCore::HTMLFrameElementBase::openURL(this=0x00006130000670c0, lockHistory=Yes, lockBackForwardList=Yes) at HTMLFrameElementBase.cpp:102:44
    frame #83: 0x00000003b2a291a2 WebCore`WebCore::HTMLFrameElementBase::didFinishInsertingNode(this=0x00006130000670c0) at HTMLFrameElementBase.cpp:142:5
    frame #84: 0x00000003b1eb204f WebCore`void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(containerNode=0x000060e00005d0a0, child=0x0000612000055fc0, source=API, replacedAllChildren=No, doNodeInsertion=(anonymous class) @ 0x00007ffee4318ec0)::$_4) at ContainerNode.cpp:213:17
    frame #85: 0x00000003b1eaa43d WebCore`WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(this=0x000060e00005d0a0, newChild=0x0000612000055fc0) at ContainerNode.cpp:726:9
    frame #86: 0x00000003b1eb160b WebCore`WebCore::ContainerNode::appendChild(this=0x000060e00005d0a0, newChild=0x0000612000055fc0) at ContainerNode.cpp:692:12
    frame #87: 0x00000003b271b4ce WebCore`WebCore::SplitElementCommand::executeApply(this=0x00006110000d4340) at SplitElementCommand.cpp:62:21
    frame #88: 0x00000003b271b6fb WebCore`WebCore::SplitElementCommand::doApply(this=0x00006110000d4340) at SplitElementCommand.cpp:69:5
    frame #89: 0x00000003b259246d WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x0000612000063c40, command=0x00007ffee4319a60) at CompositeEditCommand.cpp:463:14
    frame #90: 0x00000003b257e9c7 WebCore`WebCore::CompositeEditCommand::splitElement(this=0x0000612000063c40, element=0x000060e00004bfa0, atChild=0x00006080000462a0) at CompositeEditCommand.cpp:664:5
    frame #91: 0x00000003b25a3529 WebCore`WebCore::CompositeEditCommand::splitTreeToNode(this=0x0000612000063c40, start=0x00006080000462a0, end=0x000060c00006c100, shouldSplitAncestor=false) at CompositeEditCommand.cpp:0:13
    frame #92: 0x00000003b26815e5 WebCore`WebCore::IndentOutdentCommand::indentIntoBlockquote(this=0x0000612000063c40, start=0x00007ffee431a220, end=0x00007ffee431a610, targetBlockquote=0x00007ffee431a490) at IndentOutdentCommand.cpp:0:98
    frame #93: 0x00000003b2683b48 WebCore`WebCore::IndentOutdentCommand::formatRange(this=0x0000612000063c40, start=0x00007ffee431a220, end=0x00007ffee431a610, (null)=0x0000612000063d30, blockquoteForNextIndent=0x00007ffee431a490) at IndentOutdentCommand.cpp:253:9
    frame #94: 0x00000003b25702fe WebCore`WebCore::ApplyBlockElementCommand::formatSelection(this=0x0000612000063c40, startOfSelection=0x00007ffee431af20, endOfSelection=0x00007ffee431af60) at ApplyBlockElementCommand.cpp:153:9
    frame #95: 0x00000003b2683ab6 WebCore`WebCore::IndentOutdentCommand::formatSelection(this=0x0000612000063c40, startOfSelection=0x00007ffee431af20, endOfSelection=0x00007ffee431af60) at IndentOutdentCommand.cpp:243:35
    frame #96: 0x00000003b256e829 WebCore`WebCore::ApplyBlockElementCommand::doApply(this=0x0000612000063c40) at ApplyBlockElementCommand.cpp:90:5
    frame #97: 0x00000003b256c6db WebCore`WebCore::CompositeEditCommand::apply(this=0x0000612000063c40) at CompositeEditCommand.cpp:372:9
    frame #98: 0x00000003b26963b5 WebCore`WebCore::executeIndent(frame={ origin = file://, url = file:///Users/jacklee/browser2/min-62845430.html, isMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, (null)=0x0000000000000000, (null)=CommandFromDOM, (null)={ length = 0, contents = '' }) at EditorCommand.cpp:450:84
    frame #99: 0x00000003b2629830 WebCore`WebCore::Editor::Command::execute(this=0x00007ffee431b5b0, parameter={ length = 0, contents = '' }, triggeringEvent=0x0000000000000000) const at EditorCommand.cpp:1876:12
 

Node tree after  insertUnorderedList  finishes:
BODY	0x60c00006c100 (renderer 0x612000058e40) 
	DETAILS	0x60e00005d0a0 (renderer 0x612000066ac0) 
		#document-fragment	0x612000063f40 (renderer 0x0)  (needs style recalc) (child needs style recalc)
			SLOT	0x60d000066160 (renderer 0x0) 
				SUMMARY	0x60c0000952c0 (renderer 0x612000066c40) 
					#document-fragment	0x6120000640c0 (renderer 0x0)  (needs style recalc) (child needs style recalc)
						DIV	0x60c000095380 (renderer 0x612000066dc0) 
						SLOT	0x60d000066230 (renderer 0x0) 
					#text	0x608000052620 "Details"
			SLOT	0x60d000066570 (renderer 0x0) 
		DIV	0x60c00006c640 (renderer 0x612000066f40) 
			#text	0x608000046220 "a"
		FORM	0x612000055fc0 (renderer 0x0) 
			SELECT	0x61300005cfc0 (renderer 0x0) 
				IFRAME	0x6130000670c0 (renderer 0x0) 
*	DETAILS	0x60e00004bfa0 (renderer 0x61200006a840) 
		#document-fragment	0x612000055cc0 (renderer 0x0)  (needs style recalc) (child needs style recalc)
			SLOT	0x60d0000593d0 (renderer 0x0) 
				SUMMARY	0x60c00006c280 (renderer 0x61200006a9c0) 
					#document-fragment	0x612000055e40 (renderer 0x0)  (needs style recalc) (child needs style recalc)
						DIV	0x60c00006c340 (renderer 0x61200006ab40) 
						SLOT	0x60d0000594a0 (renderer 0x0) 
					#text	0x6080000461a0 "Details"
			SLOT	0x60d0000597e0 (renderer 0x0) 
		UL	0x60c00002a580 (renderer 0x61200006acc0) 
			LI	0x60c0000295c0 (renderer 0x61200006ae40) 
				#text	0x608000054fa0 "b"
	#text	0x608000046320 "\n"
Comment 2 Jack 2020-05-05 13:43:50 PDT
Created attachment 398550 [details]
Patch
Comment 3 Geoffrey Garen 2020-05-06 15:58:39 PDT
Comment on attachment 398550 [details]
Patch

r=me
Comment 4 EWS 2020-05-06 16:16:18 PDT
Committed r261258: <https://trac.webkit.org/changeset/261258>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398550 [details].